Hello,
I’m trying to find a way to validate that all of my hosts logs are making it into Helix.
I tried querying with “class=ms_windows_event | groupby rawmsghostname” but I think I’m running into a 50 bucket limit on groupby.
Is there another way to do this, or to raise the limit for a particular search?
Even returning the bucket names rather than the whole response (including the events) would solve the problem.